Prisma Access Agent 25.3.1 Known Issues
Focus
Focus
Prisma Access Agent

Prisma Access Agent 25.3.1 Known Issues

Table of Contents

Prisma Access Agent 25.3.1 Known Issues

Review the known issues in Prisma Access Agent 25.3.1.
Prisma Access Agent version 25.3.1 has the following known issues:
Issue IDDescription
PANG-8200
An issue exists where the Prisma Access Agent app interface displays inconsistent behavior between Windows and Mac platforms when users execute the pacli epm signout command without the --keep parameter. When users run the ./pacli epm signout command on Mac systems, the app correctly resets the login view and displays Select Server Name in the Server Name field instead of showing the previously connected server. However, on Windows systems, the app continues to display the previously connected server FQDN rather than resetting to the default Select Server Name prompt.
The app sign-out function and the pacli epm signout --keep command both maintain consistent behavior across both Windows and Mac platforms by preserving the previously connected server information.
PANG-8053
An issue exists where the Prisma Access Agent on Windows fails to establish a pre-logon tunnel when the forwarding profile's default behavior is configured to Best Available - Fail Safe. The fail-safe configuration prevents the pre-logon tunnel creation process from completing successfully, disrupting the expected connectivity sequence during the Windows pre-logon phase. When the forwarding profile is set to Best Available - Fail Open as the default behavior, the pre-logon tunnel establishes without issue, indicating that the fail-safe mechanism is incorrectly interfering with the tunnel establishment process. This behavior contradicts the expected functionality where pre-logon tunnels should be created regardless of whether the forwarding profile default is configured for fail-safe or fail-open operations.
PANG-7960
Resolved in Prisma Access Agent 25.4
An issue exists where the Prisma Access Agent on Windows blocks authentication in the embedded browser due to the Best Available - Fail Safe mechanism in the forwarding profile triggering during the initial connection attempt.
When the agent is configured to run in on-demand mode and the user launches the agent after a reboot, the authentication process encounters interference from the fail-safe mechanism. Users experience authentication failures in the default browser as expected when fail-safe triggers, but when they switch to the embedded browser, the first authentication attempt also gets blocked by the fail-safe mechanism. The authentication only succeeds when users cancel the initial embedded browser attempt and retry the process. The embedded browser should bypass or properly handle the fail-safe mechanism to enable successful authentication on the first attempt without requiring users to cancel and retry the authentication process.
PANG-7309
Resolved in Prisma Access Agent 25.4
An issue exists where the Prisma Access Agent on Windows fails to automatically switch from an external gateway to an internal gateway when the user's device wakes from sleep mode. This occurs when the user connects the agent to an external network and then puts the device to sleep for an extended period before waking it on an internal network. The agent remains connected to the external gateway instead of automatically detecting and switching to the appropriate internal gateway. Attempting to sign out and sign back in through the Prisma Access Agent app does not resolve the connection issue, as the agent continues to maintain its connection to the external gateway.
Workaround: The user needs to sign out using the pacli epm signout command and then sign back in using the Prisma Access Agent app, after which the agent will successfully establish a connection to the internal gateway as expected.